Evergreen Dental Kft. (hereinafter ‘Controller’; registered seat: 3075 Márkháza, 05/2 hrsz.) as Controller, during the management of personal data, complies with the provisions of the 2016/679 Decree of the European Parliament and of the Council (27th April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the relevant laws.
Evergreen Dental Kft. respects Your (hereinafter: ‘Data Subject’) rights regarding the protection of personal data. This Notice briefly summarizes what kind of data are collected, how may we use them, and informs about the tools availed by us and your data protection and legal opportunities.
The detailed regulation is found in the aforementioned Decree, if You need more information, please study the Regulation.
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;;
- ’Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ’Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ’Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ’Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ’Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ’Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ’Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- ’Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- ‘Authority’: the National Data Protection and Information Freedom Authority, www.naih.hu
- Controller (Service Provider) designation, contact details
Controller’s name: Evergreen Dental Korlátolt Felelősségű Társaság (Ltd.)
Registered seat: 3075 Márkháza, 05/2 hrsz.
Postal address: 1061 Budapest, Andrássy rd. 45. 1/ 4.
Company reg. No.: 01-09-283836
Call centre: +36 1 201 08 35
Customer Service e-mail address: firstname.lastname@example.org
- Purpose of data processing, scope of processed data, term of data processing, persons entitled to learn data
Purpose of data processing
Personal data may be processed only for specified purposes, in the necessary extent, to exercise rights or fulfil obligations. The data processing shall comply with the purpose of data processing in each phase, the data collection and processing shall be legal and fair. Personal data may be processed only in the extent and for the term necessary for the achievement of the specific purpose. Controller regulated in internal regulations, that only the recipients involved in the achievement of the specific purposes shall process the data.
Controller processes personal data regarding the provisions of law in the following cases:
- Invoice issuing about the order
Controller processes personal data on substantial public interest in the following cases:
- Identification of data subject as customer,
- Registering of the order of product/service, and fulfilment of ordered service, and sending related notifications,
- Payment transactions,
- Registering the Data Subject’s data for the purposes of providing services,
- Operation of IT background required to provide services,
Controller may process personal data upon Data Subject’s express and voluntary consent in the following cases:
- Notification of relative provided by the Data Subject. (Personal data of the relative may be provided by the Data Subject only upon the prior, express and voluntary consent of the relative).
- Analysis of the website’s use, development of user’s experience.
Provision of data upon voluntary consent is not required to arrange an Agreement, Data Subject is not obliged to provide his/her personal data for this purpose. Possible consequences of the omission of providing data:
Scope of processed data, term of processing, persons entitled to learn such data
In accordance with the provisions above, referring to the designated legal basis, we collect and process the following data until the designated retention period.
DATA PROCESSED ON LEGITIMATE INTERESTS
|Name of data||Retention period|
|Name||The retention period following the cessation of legitimate interest or related provisions of laws (6:22§ of the Civil code): 5 years|
|Date of birth|
|Social security No.|
|OEP membership No.|
|Medical data (contagious disease, allergy, therapy, eating disorder, recurring disease, genetic disease, smoking, hormone disorder, taken medicines and their dosage, other health-related information)|
|Type of necessary intervention|
DATA PROCESSED UPON THE PROVISIONS OF LAW
|Name of data||Retention period|
|invoicing name||The retention period (6:22§ of the Civil code): 5 years|
|bank account number (if required)|
DATA PROCESSED UPON VOLUNTARY CONSENT
|Name of data||Retention period|
|photo about the treatment area||Retention period until unsubscribe|
|Name, phone number and e-mail address of person to be notified in case of emergency||Retention period until unsubscribe|
|Cookie||Retention period until unsubscribe|
Data subject may inform about how to unsubscribe in the Chapter 5 of the Informative.
Duration of processing:
Evergreen Dental Ltd. will process data that is processed on the basis of consent until your consent is withdrawn, but for a maximum of 5 years.
Medical records will be kept by our Company for at least 30 years from the date of their collection, in accordance with Article 30 of Act XLVII of 1997 on the management and protection of health and related personal data. Invoices must be kept for 8 years from the date of their issue in accordance with Article 169 § 2. of Act C of 2000 on Accounting. Therefore, in cases where the legal basis for the processing is based on law, Evergreen Dental Ltd. will process your personal data indicated therein for the period specified above, irrespective of any withdrawal of your consent.
- Collection, use and forwarding of personal data
Controller, in case of collecting personal data, shall comply with the relevant provisions of laws, restrictions and ethic norms.
- Shall notify the Data Subject prior to the data processing according to the prescribed method about its data processing practices.
- Shall collect, store and use personal data only for pre-defined purposes. The collected information shall always comply with the provided purpose, is relevant and is in appropriate extent.
- Shall take reasonable measures to achieve the specific purpose, that Data Subject’s personal data shall be accurate, complete, up-to-date and reliable for the actual purposes.
- For promotional purposes, it shall use your personal data only upon your willing consent, and provide the Data Subject the opportunity to prohibit such communication.
- Shall take proportional and reasonable measures to protect the Data Subject’s personal data, including cases when it discloses them to third parties. Data shall not be disclosed to third parties without the Data Subject’s prior, express consent.
Controller shall avail the following Data Processor(s) to process personal data for the activities listed below:
|Data Processor||Company reg. No./ VAT No.||Performed activity|
|M.O.C. Hungary Kft.||01-09-860402 / 13537566-2-41||IT service provider|
|KF&t Kft.||01-09-163310 / 10691517-2-42||Bookkeeper|
|Herke & Szabó Law Office||02-06-065926||Attorney|
|Vesodent Kft.||06-09-019474 / 23898037-1-06||Medical sub-contractor|
|dr. Attila Simay||/ 67655889-1-25||Medical sub-contractor|
|dr. Gábor Nagy||/ 68684857-1-35||Medical sub-contractor|
|Schadent Acuta Kft.||01-09-209815 / 25347324-1-43||Medical sub-contractor|
|dr. Béla-Gábor Szabó||/ 67969443-1-42||Medical sub-contractor|
|dr. Tamás Rádi||/ 67234655-1-26||Medical sub-contractor|
- Access to personal data, modification, correction and portability
Data Subject is entitled to receive confirmation from Controller whether the processing of his/her data is in progress, and if yes, then (s)he is entitled to gain access to his/her personal data and the following information:
- purpose of data processing;
- categories of the relevant personal data;
- categories of such recipient(s), who the personal data are/will be disclosed to.
Data Subject is entitled to make Controller forthwith correct the inaccurate personal data on request. Taking the purpose of the data processing into account, Data Subject is entitled to request the amendment of the deficient personal data, by means of providing supplementary statement.
Data Subject is entitled to receive the relevant personal data disclosed to Controller by him/her in a widely used, computer-compatible form, and further entitled to disclose such data to another Controller without Controller’s objection (who the personal data are disclosed to), provided that:
- the processing is based on voluntary consent or such an Agreement, whereas Data Subject is one of parties; and
- the processing is performed in an automated way.
- Erasure, restriction of personal data, right to object
£[convert number="1" from="EUR" to="GBP"] It is Data Subject’s right and Controller’s obligation to erase date related to him/her without any delay, if any of the following reasons occur:
- personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- Data Subject withdraws his/her voluntary consent, which was the base of the data processing through the contact details provided by Controller, and the data processing no longer has legal grounds;
- Data Subject objects to the data processing for reasons related to his/her circumstances or due to direct marketing against the data processing, and there is no prevailing purpose to process data;
- the personal data have been unlawfully processed;
- the personal data need to be erased to fulfil legal obligation stipulated by the European Union or the Member State;
- the personal data have been collected in relation to the offer of information society services directly to minors.
£[convert number="2" from="EUR" to="GBP"] Where the controller has made the personal data public and is obliged pursuant to £[convert number="1" from="EUR" to="GBP"] to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
£[convert number="3" from="EUR" to="GBP"] £[convert number="1" from="EUR" to="GBP"] and £[convert number="2" from="EUR" to="GBP"] shall not apply, if the processing is required:
- to exercise the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of occupational health or public health;
- for archiving purposes in the public interest, historical research or statistical purposes, if the exercise of right provided in £[convert number="1" from="EUR" to="GBP"] would be impossible or would involve disproportionate effort to process data; or
- for the establishment, exercise and defence of legal claims.
£[convert number="1" from="EUR" to="GBP"] Data Subject is entitled to make Controller restrict data processing, if any of the following conditions are met:
- Subject contests the accuracy of personal data, in this case, the restriction applies on that period, which enables the Controller to check the accuracy of the personal data;
- the data processing is unlawful, and Data Subject objects the erasure of the data, and request their restriction instead;
- Controller no longer needs the personal data for processing purposes, but Data Subject requests them for the establishment, exercise and defence of legal claims; or
- Data Subject objected the data processing due to a reason related to his/her own circumstances; in this case the restriction applies on the period, until it is declared, that Controller’s legitimate interests override the Data Subject’s legitimate interests.
£[convert number="2" from="EUR" to="GBP"] If the data management is restricted according to £[convert number="1" from="EUR" to="GBP"], then such personal data may be processed (except storage) only upon Data Subject’s consent, or to submit, enforce or protect legitimate claims, or to protect the rights of other natural or legal persons, or based on substantial public interests of the European Union or any of its Member States.
£[convert number="3" from="EUR" to="GBP"] A data subject who has obtained restriction of processing pursuant to £[convert number="1" from="EUR" to="GBP"] shall be informed by the controller before the restriction of processing is lifted.
Data Subject is entitled to object the processing of his/her personal data due to his/her own circumstances anytime, if the data are processed within the exercise of public authority duties or to enforce the legitimate interests of Controller or a third party, including the profiling based on the aforementioned provisions. In this case, Controller shall no longer process personal data, except Controller is able to prove, that data processing is justified by such compulsive legal purposes, which override the interests, rights and freedom of the Data Subject, or which are related for the establishment, exercise and defence of legal claims.
If the personal data are processed for direct marketing purposes, then Data Subject is entitled to object such processing of his/her personal data, including profiling, if it is related to direct marketing.
If Data Subject objects the processing of his/her personal data for direct marketing purposes, then such personal data shall no longer be processed.
- Automated decision-making based on personal data, profiling
Controller performs neither manual, nor AI-supported automated decision-making or profiling.
- User’s opportunities for the establishment, exercise and defence of legal claims
User, in case of infringement of his/her personal rights, and in cases specified in this Regulation, may turn to the National Data Protection and Information Freedom Authority for help:
Name: National Data Protection and Information Freedom Authority
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet alley 22/c.
Phone: +36 £[convert number="1" from="EUR" to="GBP"] 391-1400
Telefax: +36 £[convert number="1" from="EUR" to="GBP"] 391-1410
- Amendments to this Notice
Controller reserves the right to amend or update this ‘Notice’ anytime, without prior notification, the publishment the new version on its websites. Any amendment shall apply only on personal data collected following the disclosure of the new version.
Please regularly check our Notice to track the changes and get informed about how You are affected by these changes.
Last updated: 25th May 2018.